# Copyright 2012 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import uuid from keystoneclient import exceptions from keystoneclient.tests.unit.v3 import utils from keystoneclient.v3 import roles from testtools import matchers class RoleTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(RoleTests, self).setUp() self.key = 'role' self.collection_key = 'roles' self.model = roles.Role self.manager = self.client.roles def new_ref(self, **kwargs): kwargs = super(RoleTests, self).new_ref(**kwargs) kwargs.setdefault('name', uuid.uuid4().hex) return kwargs def _new_domain_ref(self, **kwargs): kwargs.setdefault('enabled', True) kwargs.setdefault('name', uuid.uuid4().hex) return kwargs def test_create_with_domain_id(self): ref = self.new_ref() ref['domain_id'] = uuid.uuid4().hex self.test_create(ref=ref) def test_create_with_domain(self): ref = self.new_ref() domain_ref = self._new_domain_ref() domain_ref['id'] = uuid.uuid4().hex ref['domain_id'] = domain_ref['id'] self.stub_entity('POST', entity=ref, status_code=201) returned = self.manager.create(name=ref['name'], domain=domain_ref) self.assertIsInstance(returned, self.model) for attr in ref: self.assertEqual( getattr(returned, attr), ref[attr], 'Expected different %s' % attr) def test_domain_role_grant(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['domains', domain_id, 'users', user_id, self.collection_key, ref['id']], status_code=201) self.manager.grant(role=ref['id'], domain=domain_id, user=user_id) def test_domain_role_grant_inherited(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['OS-INHERIT', 'domains', domain_id, 'users', user_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=201) self.manager.grant(role=ref['id'], domain=domain_id, user=user_id, os_inherit_extension_inherited=True) def test_project_role_grant_inherited(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['OS-INHERIT', 'projects', project_id, 'users', user_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.grant(role=ref['id'], project=project_id, user=user_id, os_inherit_extension_inherited=True) def test_domain_group_role_grant(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['domains', domain_id, 'groups', group_id, self.collection_key, ref['id']], status_code=201) self.manager.grant(role=ref['id'], domain=domain_id, group=group_id) def test_domain_group_role_grant_inherited(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=201) self.manager.grant(role=ref['id'], domain=domain_id, group=group_id, os_inherit_extension_inherited=True) def test_project_group_role_grant_inherited(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['OS-INHERIT', 'projects', project_id, 'groups', group_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.grant(role=ref['id'], project=project_id, group=group_id, os_inherit_extension_inherited=True) def test_domain_role_list(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['domains', domain_id, 'users', user_id, self.collection_key], entity=ref_list) self.manager.list(domain=domain_id, user=user_id) def test_domain_role_list_inherited(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['OS-INHERIT', 'domains', domain_id, 'users', user_id, self.collection_key, 'inherited_to_projects'], entity=ref_list) returned_list = self.manager.list(domain=domain_id, user=user_id, os_inherit_extension_inherited=True) self.assertThat(ref_list, matchers.HasLength(len(returned_list))) [self.assertIsInstance(r, self.model) for r in returned_list] def test_project_user_role_list_inherited(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['OS-INHERIT', 'projects', project_id, 'users', user_id, self.collection_key, 'inherited_to_projects'], entity=ref_list) returned_list = self.manager.list(project=project_id, user=user_id, os_inherit_extension_inherited=True) self.assertThat(ref_list, matchers.HasLength(len(returned_list))) [self.assertIsInstance(r, self.model) for r in returned_list] def test_domain_group_role_list(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['domains', domain_id, 'groups', group_id, self.collection_key], entity=ref_list) self.manager.list(domain=domain_id, group=group_id) def test_domain_group_role_list_inherited(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, self.collection_key, 'inherited_to_projects'], entity=ref_list) returned_list = self.manager.list(domain=domain_id, group=group_id, os_inherit_extension_inherited=True) self.assertThat(ref_list, matchers.HasLength(len(returned_list))) [self.assertIsInstance(r, self.model) for r in returned_list] def test_project_group_role_list_inherited(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['OS-INHERIT', 'projects', project_id, 'groups', group_id, self.collection_key, 'inherited_to_projects'], entity=ref_list) returned_list = self.manager.list(project=project_id, group=group_id, os_inherit_extension_inherited=True) self.assertThat(ref_list, matchers.HasLength(len(returned_list))) [self.assertIsInstance(r, self.model) for r in returned_list] def test_domain_role_check(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['domains', domain_id, 'users', user_id, self.collection_key, ref['id']], status_code=204) self.manager.check(role=ref['id'], domain=domain_id, user=user_id) def test_domain_role_check_inherited(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['OS-INHERIT', 'domains', domain_id, 'users', user_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.check(role=ref['id'], domain=domain_id, user=user_id, os_inherit_extension_inherited=True) def test_project_role_check_inherited(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['OS-INHERIT', 'projects', project_id, 'users', user_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.check(role=ref['id'], project=project_id, user=user_id, os_inherit_extension_inherited=True) def test_domain_group_role_check(self): return group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['domains', domain_id, 'groups', group_id, self.collection_key, ref['id']], status_code=204) self.manager.check(role=ref['id'], domain=domain_id, group=group_id) def test_domain_group_role_check_inherited(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.check(role=ref['id'], domain=domain_id, group=group_id, os_inherit_extension_inherited=True) def test_project_group_role_check_inherited(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['OS-INHERIT', 'projects', project_id, 'groups', group_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.check(role=ref['id'], project=project_id, group=group_id, os_inherit_extension_inherited=True) def test_domain_role_revoke(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['domains', domain_id, 'users', user_id, self.collection_key, ref['id']], status_code=204) self.manager.revoke(role=ref['id'], domain=domain_id, user=user_id) def test_domain_group_role_revoke(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['domains', domain_id, 'groups', group_id, self.collection_key, ref['id']], status_code=204) self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id) def test_domain_role_revoke_inherited(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['OS-INHERIT', 'domains', domain_id, 'users', user_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.revoke(role=ref['id'], domain=domain_id, user=user_id, os_inherit_extension_inherited=True) def test_project_role_revoke_inherited(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['OS-INHERIT', 'projects', project_id, 'users', user_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.revoke(role=ref['id'], project=project_id, user=user_id, os_inherit_extension_inherited=True) def test_domain_group_role_revoke_inherited(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['OS-INHERIT', 'domains', domain_id, 'groups', group_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=200) self.manager.revoke(role=ref['id'], domain=domain_id, group=group_id, os_inherit_extension_inherited=True) def test_project_group_role_revoke_inherited(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['OS-INHERIT', 'projects', project_id, 'groups', group_id, self.collection_key, ref['id'], 'inherited_to_projects'], status_code=204) self.manager.revoke(role=ref['id'], project=project_id, group=group_id, os_inherit_extension_inherited=True) def test_project_role_grant(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['projects', project_id, 'users', user_id, self.collection_key, ref['id']], status_code=201) self.manager.grant(role=ref['id'], project=project_id, user=user_id) def test_project_group_role_grant(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('PUT', ['projects', project_id, 'groups', group_id, self.collection_key, ref['id']], status_code=201) self.manager.grant(role=ref['id'], project=project_id, group=group_id) def test_project_role_list(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['projects', project_id, 'users', user_id, self.collection_key], entity=ref_list) self.manager.list(project=project_id, user=user_id) def test_project_group_role_list(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref_list = [self.new_ref(), self.new_ref()] self.stub_entity('GET', ['projects', project_id, 'groups', group_id, self.collection_key], entity=ref_list) self.manager.list(project=project_id, group=group_id) def test_project_role_check(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['projects', project_id, 'users', user_id, self.collection_key, ref['id']], status_code=200) self.manager.check(role=ref['id'], project=project_id, user=user_id) def test_project_group_role_check(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('HEAD', ['projects', project_id, 'groups', group_id, self.collection_key, ref['id']], status_code=200) self.manager.check(role=ref['id'], project=project_id, group=group_id) def test_project_role_revoke(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['projects', project_id, 'users', user_id, self.collection_key, ref['id']], status_code=204) self.manager.revoke(role=ref['id'], project=project_id, user=user_id) def test_project_group_role_revoke(self): group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.stub_url('DELETE', ['projects', project_id, 'groups', group_id, self.collection_key, ref['id']], status_code=204) self.manager.revoke(role=ref['id'], project=project_id, group=group_id) def test_domain_project_role_grant_fails(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.assertRaises( exceptions.ValidationError, self.manager.grant, role=ref['id'], domain=domain_id, project=project_id, user=user_id) def test_domain_project_role_list_fails(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex self.assertRaises( exceptions.ValidationError, self.manager.list, domain=domain_id, project=project_id, user=user_id) def test_domain_project_role_check_fails(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.assertRaises( exceptions.ValidationError, self.manager.check, role=ref['id'], domain=domain_id, project=project_id, user=user_id) def test_domain_project_role_revoke_fails(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex ref = self.new_ref() self.assertRaises( exceptions.ValidationError, self.manager.revoke, role=ref['id'], domain=domain_id, project=project_id, user=user_id) def test_user_group_role_grant_fails(self): user_id = uuid.uuid4().hex group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.assertRaises( exceptions.ValidationError, self.manager.grant, role=ref['id'], project=project_id, group=group_id, user=user_id) def test_user_group_role_list_fails(self): user_id = uuid.uuid4().hex group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex self.assertRaises( exceptions.ValidationError, self.manager.list, project=project_id, group=group_id, user=user_id) def test_user_group_role_check_fails(self): user_id = uuid.uuid4().hex group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.assertRaises( exceptions.ValidationError, self.manager.check, role=ref['id'], project=project_id, group=group_id, user=user_id) def test_user_group_role_revoke_fails(self): user_id = uuid.uuid4().hex group_id = uuid.uuid4().hex project_id = uuid.uuid4().hex ref = self.new_ref() self.assertRaises( exceptions.ValidationError, self.manager.revoke, role=ref['id'], project=project_id, group=group_id, user=user_id) class DeprecatedImpliedRoleTests(utils.ClientTestCase): def setUp(self): super(DeprecatedImpliedRoleTests, self).setUp() self.key = 'role' self.collection_key = 'roles' self.model = roles.Role self.manager = self.client.roles def test_implied_create(self): prior_id = uuid.uuid4().hex prior_name = uuid.uuid4().hex implied_id = uuid.uuid4().hex implied_name = uuid.uuid4().hex mock_response = { "role_inference": { "implies": { "id": implied_id, "links": {"self": "http://host/v3/roles/%s" % implied_id}, "name": implied_name }, "prior_role": { "id": prior_id, "links": {"self": "http://host/v3/roles/%s" % prior_id}, "name": prior_name } } } self.stub_url('PUT', ['roles', prior_id, 'implies', implied_id], json=mock_response, status_code=201) with self.deprecations.expect_deprecations_here(): manager_result = self.manager.create_implied(prior_id, implied_id) self.assertIsInstance(manager_result, roles.InferenceRule) self.assertEqual(mock_response['role_inference']['implies'], manager_result.implies) self.assertEqual(mock_response['role_inference']['prior_role'], manager_result.prior_role) class ImpliedRoleTests(utils.ClientTestCase, utils.CrudTests): def setUp(self): super(ImpliedRoleTests, self).setUp() self.key = 'role_inference' self.collection_key = 'role_inferences' self.model = roles.InferenceRule self.manager = self.client.inference_rules def test_check(self): prior_role_id = uuid.uuid4().hex implied_role_id = uuid.uuid4().hex self.stub_url('HEAD', ['roles', prior_role_id, 'implies', implied_role_id], status_code=204) result = self.manager.check(prior_role_id, implied_role_id) self.assertTrue(result) def test_get(self): prior_id = uuid.uuid4().hex prior_name = uuid.uuid4().hex implied_id = uuid.uuid4().hex implied_name = uuid.uuid4().hex mock_response = { "role_inference": { "implies": { "id": implied_id, "links": {"self": "http://host/v3/roles/%s" % implied_id}, "name": implied_name }, "prior_role": { "id": prior_id, "links": {"self": "http://host/v3/roles/%s" % prior_id}, "name": prior_name } } } self.stub_url('GET', ['roles', prior_id, 'implies', implied_id], json=mock_response, status_code=200) manager_result = self.manager.get(prior_id, implied_id) self.assertIsInstance(manager_result, roles.InferenceRule) self.assertEqual(mock_response['role_inference']['implies'], manager_result.implies) self.assertEqual(mock_response['role_inference']['prior_role'], manager_result.prior_role) def test_create(self): prior_id = uuid.uuid4().hex prior_name = uuid.uuid4().hex implied_id = uuid.uuid4().hex implied_name = uuid.uuid4().hex mock_response = { "role_inference": { "implies": { "id": implied_id, "links": {"self": "http://host/v3/roles/%s" % implied_id}, "name": implied_name }, "prior_role": { "id": prior_id, "links": {"self": "http://host/v3/roles/%s" % prior_id}, "name": prior_name } } } self.stub_url('PUT', ['roles', prior_id, 'implies', implied_id], json=mock_response, status_code=201) manager_result = self.manager.create(prior_id, implied_id) self.assertIsInstance(manager_result, roles.InferenceRule) self.assertEqual(mock_response['role_inference']['implies'], manager_result.implies) self.assertEqual(mock_response['role_inference']['prior_role'], manager_result.prior_role) def test_delete(self): prior_role_id = uuid.uuid4().hex implied_role_id = uuid.uuid4().hex self.stub_url('DELETE', ['roles', prior_role_id, 'implies', implied_role_id], status_code=204) status, body = self.manager.delete(prior_role_id, implied_role_id) self.assertEqual(204, status.status_code) self.assertIsNone(body) def test_list_role_inferences(self): prior_id = uuid.uuid4().hex prior_name = uuid.uuid4().hex implied_id = uuid.uuid4().hex implied_name = uuid.uuid4().hex mock_response = { "role_inferences": [{ "implies": [{ "id": implied_id, "links": {"self": "http://host/v3/roles/%s" % implied_id}, "name": implied_name }], "prior_role": { "id": prior_id, "links": {"self": "http://host/v3/roles/%s" % prior_id}, "name": prior_name } }] } self.stub_url('GET', ['role_inferences'], json=mock_response, status_code=200) manager_result = self.manager.list_inference_roles() self.assertEqual(1, len(manager_result)) self.assertIsInstance(manager_result[0], roles.InferenceRule) self.assertEqual(mock_response['role_inferences'][0]['implies'], manager_result[0].implies) self.assertEqual(mock_response['role_inferences'][0]['prior_role'], manager_result[0].prior_role) def test_list(self): prior_id = uuid.uuid4().hex prior_name = uuid.uuid4().hex implied_id = uuid.uuid4().hex implied_name = uuid.uuid4().hex mock_response = { "role_inference": { "implies": [{ "id": implied_id, "links": {"self": "http://host/v3/roles/%s" % implied_id}, "name": implied_name }], "prior_role": { "id": prior_id, "links": {"self": "http://host/v3/roles/%s" % prior_id}, "name": prior_name } }, "links": {"self": "http://host/v3/roles/%s/implies" % prior_id} } self.stub_url('GET', ['roles', prior_id, 'implies'], json=mock_response, status_code=200) manager_result = self.manager.list(prior_id) self.assertIsInstance(manager_result, roles.InferenceRule) self.assertEqual(1, len(manager_result.implies)) self.assertEqual(mock_response['role_inference']['implies'], manager_result.implies) self.assertEqual(mock_response['role_inference']['prior_role'], manager_result.prior_role) def test_update(self): # Update not supported for rule inferences self.assertRaises(exceptions.MethodNotImplemented, self.manager.update) def test_find(self): # Find not supported for rule inferences self.assertRaises(exceptions.MethodNotImplemented, self.manager.find) def test_put(self): # Put not supported for rule inferences self.assertRaises(exceptions.MethodNotImplemented, self.manager.put) def test_list_params(self): # Put not supported for rule inferences self.skipTest("list params not supported by rule inferences")